Creating a simple NAT and DMZ firewall using bash script

March 8, 2021

Comments

In this article, we will create a simple NAT firewall with DMZ using iptables.

Prerequisites

Besides having a Terminal open, you need to ensure that iptables is installed in your machine.

Write script

We will write a script to set up a DMZ using iptables. Create a dmz_iptables.shscript and write the following code in it:

dmz_iptables.sh

# set the default policy to DROP 
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP 

# to configure the system as a router, enable ip forwarding by 
sysctl -w net.ipv4.ip_forward=1 
# allow traffic from internal (eth0) to DMZ (eth2) 
iptables -t filter -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
iptables -t filter -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 

# allow traffic from internet (ens33) to DMZ (eth2) 
iptables -t filter -A FORWARD -i ens33 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
iptables -t filter -A FORWARD -i eth2 -o ens33 -m state --state ESTABLISHED,RELATED -j ACCEPT 

#redirect incoming web requests at ens33 (200.0.0.1) of FIREWALL to web server at 192.168.20.2 
iptables -t nat -A PREROUTING -p tcp -i ens33 -d 200.0.0.1 --dport 80 -j DNAT --to-dest 192.168.20.2 
iptables -t nat -A PREROUTING -p tcp -i ens33 -d 200.0.0.1 --dport 443 -j DNAT --to-dest 192.168.20.2 

#redirect incoming mail (SMTP) requests at ens33 (200.0.0.1) of FIREWALL to Mail server at 192.168.20.3 
iptables -t nat -A PREROUTING -p tcp -i ens33 -d 200.0.0.1 --dport 25 -j DNAT --to-dest 192.168.20.3 

#redirect incoming DNS requests at ens33 (200.0.0.1) of FIREWALL to DNS server at 192.168.20.4 
iptables -t nat -A PREROUTING -p udp -i ens33 -d 200.0.0.1 --dport 53 -j DNAT --to-dest 192.168.20.4 
iptables -t nat -A PREROUTING -p tcp -i ens33 -d 200.0.0.1 --dport 53 -j DNAT --to-dest 192.168.20.4

How it works

In the preceding code, we have used iptables to set up a DMZ. In this script, we are allowing the internal traffic from the internet to the DMZ.

Satish Kumar

Satish Kumar

I am Satish Kumar, Founder of LinuxConcept. Linux and F.O.S.S enthusiast, love to work on open source platform and technologies.

Related Posts

Calculating and reducing the runtime of a script

In this article, we are going to learn how to calculate and reduce the script’s runtime. A simple time command will help in calculating the execution time.PrerequisitesBesides having a terminal open, make sure you have the necessary scripts present in your...

Using Bash to monitor battery life and optimize it

In this article, we will learn about the TLP Linux tool. TLP is a command-line tool; it is used for power management and will optimize the battery life.PrerequisitesBesides having a Terminal open, you need to ensure that you have TLP installed on your system.How to do...

0 Comments

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

4 × four =

News & Updates

Join Our Newsletter